When the worm is executed, it saves its process ID to the following file:
The worm then attempts to connect to the following IRC server on TCP port 6667:
The worm waits for commands from the attacker.
The worm may attempt to connect to TCP port 23 at one of the following locations:
- Specific attacker-defined IP address
- Range-based IP address of compromised system (if the a.b.c.d is compromised address, worm scans a.b.0.0 - a.b.255.255)
- Randomly generated IP addresses (x.y.0.0 - x.y.255.255, x and y are randomly generated)
The worm may use attacker-supplied IDs and passwords.
The worm may attempt to download a shell script from the following location:
The shell script may download and execute additional malicious files (detected as Linux.Aidra).
The worm may also receive a command from the IRC server to perform denial of service (DoS) attacks.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":